Mozilla Foundation Security Advisory 2015-27

Caja Compiler JavaScript sandbox bypass

Announced

February 24, 2015

Reporter

Jan de Mooij

Impact

Moderate

Products

Firefox, SeaMonkey

Fixed in

Firefox 36

SeaMonkey 2.33

Description

Mozilla developer Jan de Mooij reported an issue that
affects web content that relies on the Caja Compiler for
protection, or other similar sandboxing libraries. He found that some JavaScript
objects marked as non-extensible within Caja and Secure EcmaScript could be made
extensible again, bypassing the Caja sandboxing security measures, when the
JavaScript code should not be allowed to run.

Firefox users are not directly impacted by this issue. This
issue affects code running in Caja within loaded web content that should run
within its protections.